Managing certificates

Certificate Manager uses reports from Tanium Reporting. From the Certificate Manager Overview page, you can use Certificate Manager data to:

  • Find expired or expiring certificates
  • Identify weak cryptographic algorithms and key lengths
  • View self-signed and unauthorized CA certificates
  • Send certificate data using the Tanium Reporting (Source Data) source in Tanium Connect

View the Certificate Manager dashboard in Tanium Reporting

The Certificate Manager dashboard in Tanium Reporting includes three sections. The Overview section shows a high-level view of the number of certificates across your endpoints. The Listening SSL/TLS Services Certificate and Cipher Inventory section shows certificates that are currently being served, while the All Certificates section shows all certificates that are being referenced.

  1. From the Main menu, go to Data > Dashboard and select the Certificate Manager label.
  2. To view the dashboard, click Certificate Manager.

Click on the name of a chart panel to open the report that supplies the data to that chart, or click any data point on a chart to view the data in the report. For more information about dashboards, see Tanium Reporting User Guide: Working with dashboards.

You can also go to Modules > Certificate Manager > Overview to view the dashboard and reports.

View expired certificates

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the All Certificates section, click Expired Certificates.

This data comes from the Certificate Manager - Expired Certificates report in Tanium Reporting.

View expiring certificates

View listening service certificates that are expiring in 30 days

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the Listening SSL/TLS Services Certificate and Cipher Inventory section, click Listening Service Certificates Expiring in 30 Days to view the list of expiring certificates.

This data comes from the Certificate Manager - Certificates Expiring within 30 Days report in Tanium Reporting.

To send a recurring email with the list of listening service certificates that are expiring in 30 days, Email a report of expiring certificates with Tanium Connect using the Certificate Manager - Listening Service Certificates Expiring within 30 Days report.

View all certificates that are expiring in 30 days

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the All Certificates section, click Expiring within 30 Days to view the list of expiring certificates.

This data comes from the Certificate Manager - Certificates Expiring within 30 Days report in Tanium Reporting.

To send a recurring email with the list of all certificates that are expiring in 30 days, Email a report of expiring certificates with Tanium Connect using the Certificate Manager - Certificates Expiring within 30 Days report.

Email a report of expiring certificates with Tanium Connect

Before you begin

Ensure that you have Tanium Connect 5.9.65 or later installed.

Create a connection

  1. From the Main menu, go to Modules > Connect > Connections and then click Create Connection.
  2. In the General Information section, provide a name and optional description for the connection.
  3. In the Configuration section, configure the source and destination.
    1. For Source, select Tanium Reporting (Source Data).
    2. For Report, select one of the following reports:
      • Certificate Manager - Listening Service Certificates Expiring within 30 Days
      • Certificate Manager - Certificates Expiring within 30 Days
    3. For Destination, select Email and then provide the required information. For more information about configuring email destinations, see Tanium Connect User Guide: Configuring email destinations.
  4. In the Configure Output section, select the Format.
  5. In the Schedule section, select Enable Schedule to configure schedule preferences, and then click Save.

    Schedule this connection to run at least weekly.

For more information, see Tanium Reporting User Guide: Export reports through Tanium Connect.

View short keys

View listening service certificates that use short keys

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the Listening SSL/TLS Services Certificate and Cipher Inventory section, click Listening Service Short Keys to view the EC certificates that use a Public Key Bit Size less than 256 or RSA certificates that use a Public Key Bit Size less than 2048.

This data comes from the Certificate Manager - Listening Service Short Keys report in Tanium Reporting.

View all certificates that use short keys

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the All Certificates section, click Total Short Keys to view the EC certificates that use a Public Key Bit Size less than 256 or RSA certificates that use a Public Key Bit Size less than 2048.

This data comes from the Certificate Manager - Short Keys report in Tanium Reporting.

View weak signatures

View listening service certificates that use weak signatures

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the Listening SSL/TLS Services Certificate and Cipher Inventory section, click Listening Service Weak Signature Hash Algorithms to view the certificates that use the sha1 or md5 Signature Hash Algorithm.

This data comes from the Certificate Manager - Listening Service Weak Signatures report in Tanium Reporting.

View all certificates that use weak signatures

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the All Certificates section, click Certificate Manager - Weak Signatures Hash Algorithms to view the certificates that use the sha1 or md5 Signature Hash Algorithm.

This data comes from the Certificate Manager - Weak Signatures report in Tanium Reporting.

View wildcard certificates

View listening service certificates that use a wildcard subject

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the Listening SSL/TLS Services Certificate and Cipher Inventory section, click Listening Service with Wildcard Certificates to view the certificates that use a wildcard subject.

View all certificates that use a wildcard subject

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the All Certificates section, click Wildcard Certificates to view the certificates that use a wildcard subject.

This data comes from theCertificate Manager - Wildcard Certificatesreport in Tanium Reporting.

View self-signed certificates

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the Listening SSL/TLS Services Certificate and Cipher Inventory section, click Self Signed in the Listening Service Certificate Authorized CA Status panel.

This data comes from theCertificate Manager - Listening Service SSL Certificate Detailsreport in Tanium Reporting.

View unauthorized certificates

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the Listening SSL/TLS Services Certificate and Cipher Inventory section, click Unauthorized in the Listening Service Certificate Authorized CA Status panel.

This data comes from theCertificate Manager - Listening Service SSL Certificate Detailsreport in Tanium Reporting.

After you review the list of unauthorized certificates, you can Configure certificate authorities or Configure exclusion list.

Prepare for post-quantum cryptography

Certificates that use certain encryption algorithms are more likely to be compromised by future advances in quantum computer capabilities. Certificate Manager does not specifically scan for post-quantum cryptographic algorithms, but the Certificate Manager - Listening Service Cipher Suite Details report includes a Cipher Suite column that shows the algorithm and key length. This information is used by Certificate Manager to provide the Cipher Approval Status ratings of Approved or Not Approved.

For more information, see The White House: Memo on Migrating to Post-Quantum Cryptography.

As suggested in the White House memo, analyzing quantum computer vulnerability exposure starts with building a comprehensive, real-time inventory of all cryptographic algorithms and ciphers in use within the environment.

View listening services accepting unapproved ciphers

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the Listening SSL/TLS Services Certificate and Cipher Inventory section, click Listening Services Accepting Unapproved Ciphers to view the ports that are accepting unapproved ciphers.

This data comes from the Certificate Manager - Listening Services Accepting Unapproved Ciphers report in Tanium Reporting.

View listening service certificates by approval status

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the Listening SSL/TLS Services Certificate and Cipher Inventory section, click Listening Service Cipher Inventory to view the certificates by cipher approval status.

This data comes from the Certificate Manager - Listening Service Cipher Suite Details report in Tanium Reporting.